Add additional 2FA options to access vault next to Yubikey/ Masterpassword on MacOS/ iOS / iPad
Hi,
I have my vault in the iCloud and would love to securely access it on my Mac, iPhone and iPad with entering both my master passwords + 2FA authentication.
Carrying around a Yubikey is too cumbersome (albeit most secure) imho and a second password for iOS can still be compromised.
I guess I am just worried about key logging or anyone accessing my master password (s). Having access to both 2fa + password is very unlikely so that’s why I was thinking about it.
With Google Authenticator for example I could easily switch between apps + use FaceID to quickly access the vault. I know, not most secure but it would still be more secure than only entering the safe password.
Best,
Nils
-
As the title specifically refers to iOS, let's focus on iOS.
On iOS the app currently offers setting a Master Password in the settings of the app, which is a static password instead of a one-time password.
Suppose we would
- add a “Use 3rd party Authenticator” option
- generate the Master Password randomly (being the TOTP secret key) if this option is set
- allow you to import it into Google Authenticator (QR code might be difficult here as you can't scan your own phone…)
- validate any input given as Master Password against the currently valid authentication code
would that work for you?
Other thoughts?
0 -
Sorry, Richard, I've realised now that my title is confusing. The iOS part was only referring to the iOS masterpassword option. Apologies, I have amended the title. I am wishing to have one universal 2FA authentication to access my vault on all devices: MacOS App, iOS + iPad.
Maybe I am also confusing the current TOTP option but that is only for each individual entry within the vault, correct? As my vault has 300+ entries this would be a bit too many 2FA codes.
I guess I am imagining it as follows: pwSafe asks me to enter a 2FA code after I put in my master password to access my vault. This would then require me to go to an Authenticator app (e.g. Google) to read or copy the 6 digit code/TOTP to enter to my vault to gain access. Does that makes sense?
To setup the Authenticator application pwSafe would need to create a setup key to be entered to e.g. Google Authenticator, as well as a recovery key if access is lost to the 2fa authenticator, I guess. Someone would need to get access to both the master password + authenticator app/ recovery key which would make security significantly higher to gain access to my vault, correct?
0 -
Thanks for updating the title, that helps.
I get how you'd like the 2FA to work.
You want to address the risk that somebody replays your password(s), in which case somebody apparently got hold of your safe. Without Yubikey protection, the safe is protected with just the password.
So, if you want the 2FA to really improve security, there needs to be some extra secret key (which is normally stored on the YubiKey…) which is added to the mix when deriving the encryption key. This key can be stored in the keychain, and you'd better make a good backup of it (similar to YubiKey usage).
In a sense, this will be a virtual YubiKey, stored inside pwSafe, unlocked with TOTP.
If implemented correctly, this would even allow using a physical YubiKey if one is available, and otherwise the virtual YubiKey (which both would need to have the same secret, so the virtual one should be the backup of the physical one).
How does that sound?
0 -
That sounds great!
0 -
Ok, let's see if others are interested in this too.
I do like the concept of the virtual YubiKey (like https://github.com/bulwarkid/virtual-fido but then integrated in pwSafe), although it will never be as secure as a hardware token, because the secret needs to be stored in the keychain (being the most secure location) which can be exposed if e.g. your Mac is compromised.
0 -
It's a neat idea.
However, I would continue to use a yubikey because it's more secure.
0
Please sign in to leave a comment.
Comments
6 comments